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, Abstract. We present an algorithm which speeds scalar multipli- 

cation on a general elliptic curve by an estimated 3.8% to 8.5% 
' over the best known general methods when using affinc coordi- 

£N| , nates. This is achieved by eliminating a field multiplication when 

we compute 2P + Q from given points P, Q on the curve. We give 
applications to simultaneous multiple scalar multiplication and to 
the Elliptic Curve Method of factorization. We show how this im- 
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1. Introduction 

m 

qq ■ on a general elliptic curve, by doing some arithmetic differently. Scalar mul- 

\ tiplication on elliptic curves is used by cryptosystems and signature schemes 

based on elliptic curves. Our algorithm saves an estimated 3.8% to 8.5% of 
the time to perform a scalar multiplication on a general elliptic curve, when 
| compared to the best-known general methods. This savings is important 

because the ratio of security level to computation time and power required 
by a system is an important factor when determining whether a system will 
be used in a particular context. 

Our main achievement eliminates a field multiplication whenever we are 
given two points P, Q on an elliptic curve and need 2P + Q (or 2P — Q) but 
not the intermediate results IP and P + Q. This sequence of operations oc- 
curs many times when, for example, left-to-right binary scalar multiplication 
is used with a fixed or sliding window size. 

Some algorithms for simultaneous multiple scalar multiplication alternate 
doubling and addition steps, such as when computing k\P\ + k^P2 + k$P$ 
from given points Pi , P2 , and P3 . Such algorithms can use our improvement 
directly. We give applications of our technique to the Elliptic Curve Method 
for factoring and to speeding the evaluation of the Weil and Tate Pairings. 

The paper is organized as follows. Section |2] gives some background on 
elliptic curves. Section El gives a detailed version of our algorithm. Section 
estimates our savings compared to ordinary left-to-right scalar multiplica- 
tion with windowing. Section El illustrates the improvement achieved with 



an example. It also describes applications to simultaneous multiple scalar 
multiplication and the Elliptic Curve Method for factoring. Section H3 adapts 
our technique to the Weil and Tate pairing algorithms. Appendix[X]gives the 
pseudocode for implementing the improvement, including abnormal cases. 

2. Background 

Elliptic curves are used for several kinds of cryptosystems, including key 
exchange protocols and digital signature algorithms IEEE . If q is a prime or 
prime power, we let ¥ q denote the field with q elements. When gcd(g, 6) = 1, 
an elliptic curve over the field ¥ q is given by an equation of the form 

^simple : V 2 = x 3 + ax + b 

with a, b in ¥ q and 4a 3 + 27b 2 ^ 0. (See [Silverman! p. 48].) 

A more general curve equation, valid over a field of any characteristic, is 
considered in Appendix The general curve equation subsumes the case 

E-2 : y 2 + xy = x 3 + ax 2 + b 

with a, b in ¥ q and 6^0, which is used over fields of characteristic 2. 

In all cases the group used when implementing the cryptosystem is the 
group of points on the curve over ¥ q . If represented in affine coordinates, 
the points have the form: (x, y), where x and y are in ¥ q and they satisfy 
the equation of the curve, as well as a distinguished point O (called the 
point at infinity) which acts as the identity for the group law. Throughout 
this paper we work with affine coordinates for the points on the curve. 

Points are added using a geometric group law which can be expressed 
algebraically through rational functions involving x and y. Whenever two 
points are added, forming P + Q, or a point is doubled, forming 2P, these 
formulae are evaluated at the cost of some number of multiplications, squar- 
ings, and divisions in the field. For example, using Simple, to double a point 
in affine coordinates costs 1 multiplication, 2 squarings, and 1 division in the 
field, not counting multiplication by 2 or 3 BSS, p. 58]. To add two distinct 
points in affine coordinates costs 1 multiplication, 1 squaring, and 1 division 
in the field. Performing a doubling and an addition 2P + Q costs 2 multipli- 
cations, 3 squarings and 2 divisions if the points are added as (P + P) + Q, 
i.e., first double P and then add Q. 

3. The Algorithm 

Our algorithm performs a doubling and an addition, 2P + Q, on an elliptic 
curve -^simple using only 1 multiplication, 2 squarings, and 2 divisions (plus 
an extra squaring when P = Q). This is achieved as follows: to form 2P+Q, 
where P = (x\, y\) and Q = (x2, 2/2), we first find (P + Q), except we omit 
its y-coordinate, because we will not need that for the next stage. This saves 
a field multiplication. Next we form (P + Q) + P. So we have done two 
point additions and saved one multiplication. This trick also works when 



P = Q, i.e., when tripling a point. One additional squaring is saved when 
P ^ Q because then the order of our operations avoids a point doubling. 

Elliptic curve cryptosystems require multiplying a point P by a large 
number k. If we write k in binary form and compute kP using the left-to- 
right method of binary scalar multiplication, we can apply our trick at each 
stage of the partial computations. 

Efficient algorithms for group scalar multiplication have a long history 
(see [Knuthj and |Gordonl998j ). and optimal scalar multiplication routines 
typically use a combination of the left-to-right or right-to- left m-ary methods 
with sliding windows, addition-subtraction chains, signed representations, 
etc. Our procedure can be used on top of these methods for m = 2 to 
obtain a savings of up to 8.5% of the total cost of the scalar multiplication 
for curves over large prime fields, depending upon the window size and form 
which is used. This is described in detail in Section 0J 

3.1. Detailed Description of the Algorithm. Here are the detailed for- 
mulae for our procedure when the curve has the form -E S impie and all the 
points are distinct, none equal to O. Appendix lAl gives details for all char- 
acteristics. That appendix also covers special cases, where an input or an 
intermediate result is the point at infinity. 

Suppose P = (xi, y%) and Q = (x2, 2/2) are distinct points on P S i mp ie, 
and x\ 7^ X2- The point P + Q will have coordinates (X3, j/3), where 

Ai = (2/2 - Vl)/{x2 -xi), 
X3 = \f — x\ — X2, and 
2/3 = (xi - x 3 )X 1 - y x . 

Now suppose we want to add (P + Q) to P. We must add (x%, yi) to 
(^3) 2/3) using the above rule. Assume X3 ^ x\. The result has coordinates 
(x 4 , 2/4), where 

A2 = (2/3 -2/l)/(>3 - xi), 

X4 = \\ — x\ — X3, and 

2/4 = {x\ - £ 4 )A 2 - 2/1. 

We can omit the 7/3 computation, because it is used only in the compu- 
tation of A2, which can be computed without knowing 2/3 as follows: 

A 2 = -Ai - 2y 1 /(x 3 - xi). 

Omitting the 7/3 computation saves a field multiplication. Each A 2 formula 
requires a field division, so the overall saving is this field multiplication. 

This trick can also be applied to save one multiplication when computing 
3P, the triple of a point P / O, where the A2 computation will need the 
slope of a line through two distinct points 2P and P. 

This trick can be used twice to save 2 multiplications when computing 
3P + Q = ((P + Q) + P) + P. Thus 3P + Q can be computed using 
1 multiplication, 3 squarings, and 3 divisions. Such a sequence of operations 



would be performed repeatedly if a multiplier were written in ternary form 
and left-to-right scalar multiplication were used. Ternary representation 
performs worse than binary representation for large random multipliers k, 
but the operation of triple and add might be useful in another context. 

A similar trick works for elliptic curve arithmetic in characteristic 2, as is 
shown in the pseudocode in Appendix lAl 

Table n summarizes the costs of some operations on E S i mp \ e . 

Table 1. Costs of simple operations on -Simple 



Doubling 


2P 


2 


squaring 


58, 


1 multiplication, 


1 division 


Add 


P±Q 


1 


squaring 


J 


1 multiplication, 


1 division 


Double-add 


2P±Q 


2 


squaring 


$s, 


1 multiplication, 


2 divisions 


Tripling 


3P 


3 


squaring 


58, 


1 multiplication, 


2 divisions 


Triple-add 


3P±Q 


3 


squaring 


ps, 


1 multiplication, 


3 divisions 



4. Comparison to Conventional Scalar Multiplication 

In this section we analyze the performance of our algorithm compared to 
conventional left-to-right scalar multiplication. We will refer to adding two 
distinct points on the curve E as elliptic curve addition, and to adding a 
point to itself as elliptic curve doubling. Suppose we would like to compute 
JvPq given k and Pq, where the exponent k has n bits and n is at least 160. 

Assume that the relative costs of field operations are 1 unit per squaring 
or general multiplication and a units per inversion. |BSS, p. 72] assumes 
that the cost of an inversion is between 3 and 10 multiplications. In some 
implementations the relative cost of an inversion depends on the size of the 
underlying field. Our own timings on a Pentium II give a ratio of 3.8 for a 
160-bit prime field and 4.8 for a 256-bit prime field when not using Mont- 
gomery multiplication. Some hardware implementations for fast execution 
of inversion in binary fields yield inversion/multiplication ratios of 4.18 for 
160-bit exponents and 6.23 for 256-bit exponents KocSav2002 . 

The straightforward left-to-right binary method needs about n elliptic 
curve doublings. If the window size is one, then for every 1-bit in the binary 
representation, we perform an elliptic curve doubling followed directly by 
an elliptic curve addition. Suppose about half of the bits in the binary 
representation of k are l's. Then forming kP consists of performing n elliptic 
curve doublings and n/2 elliptic curve additions. 

In general, independent of the window size, the number of elliptic curve 
doublings to be performed will be about n asymptotically, whereas the num- 
ber of elliptic curve additions to be performed will depend on the window 
size. Define the value < e < 1 for a given window size to be such that 
the number of elliptic curve additions to be performed is en on average. For 
example with window size 1, e is 1/2. 



If we fix a window size and its corresponding e, then the conventional 
algorithm for scalar multiplication needs about 2n+en field squarings, n+en 
field general multiplications, and n + en field divisions. If one inversion costs 
a multiplications, then the cost of a division is (a + 1) multiplications. So 
the overall cost in field multiplications is 

(2n + en) + (n + en) + (a + l)(n + en) = (4 + a)n + (3 + a)en. 

Now we analyze the percentage savings obtained by our algorithm, not 
including precomputation costs. The above computation includes en sub- 
computations of the form 2P\ + P 2 . Writing each as Pi + (Pi + P2) saves 
one squaring per sub-computation, reducing the overall cost to (4 + a)n + 
(2 + a)en. The technique in Section saves another multiplication per sub- 
computation, dropping the overall cost to (4 + a)n + (1 + a)en. This means 
we get a savings of 

2e/((4 + a) + (3 + a)e). 

When the window size is 1 and the inversion/multiplication ratio a is 
assumed to be 4.18, this gives a savings of 8.5%. When a is assumed to be 
6.23, we still obtain a savings of 6.7%. When the window size is 2 and 2P 
and 3P have been precomputed, we find that e = 3/8. So when a is 4.18, we 
get a savings of 6.9%, and when a is 6.23, we still obtain a savings of 5.5%. 
Similarly if the window size is 4, and we have precomputed small multiples 
of P, we still achieve a savings of 3.8% to 4.8%, depending on a. 

Another possibility is using addition/subtraction chains and higher-radix 
methods. The binary method described in |IEEEl section A. 10. 3] utilizes 
addition/subtraction chains and does about 2n/3 doublings and n/3 double- 
adds (or double-subtracts), so e = 1/3 in this case. (See |Gordon l998 , 
section 2.3] for an explanation of how we obtain e = 1/3 in this case.) With 
a = 4.18, we get a 6.3% improvement. 

Scalar multiplication algorithms that use addition/subtraction chains as 
well as sliding window size may have lower e, but we still obtain at least a 
4.2% savings if e > 0.2 and a = 4.18. 

SaSa2001, Section 3.3] presents some possible trade-offs arising from dif- 
ferent inversion/multiplication ratios. We discuss this further in Section T5. 31 



5. Examples and Applications 

5.1. Left-to- Right Binary Scalar Multiplication. Suppose we would 
like to compute 1133044P = (100010100100111110100) 2 P with left-to-right 
binary method. We will do this twice, the standard way and the new way. 
For each method, we assume that 3P has been precomputed. The next table 
compares the number of operations needed (a = point additions, d = point 



doublings, div = field divisions, s = field squarings, m = field multiplies): 







Standard 


Improved 




1133044P 


= 4(283261P) 


2d 


2d 




283261P 


= 128(2213P) - 3P 


7d + la 


6d + 2a (save 


lm) 


2213P 


= 8(277P) - 3P 


3d + la 


2d + 2a (save 


lm) 


277P 


= 8(35P) - 3P 


3d+la 


2d + 2a (save 


lm) 


35P 


= 8(4P) + 3P 


3d+la 


2d + 2a (save 


lm) 


4P 


= P + 3P 


la 


la 




Total: 


23div - 


\- 41s + 23m 


23div + 37s - 


\- 19m 



This saves 4 squarings and 4 multiplications. Estimating the division cost 
at about 5 multiplications, this savings translates to about 4.47%. 



5.2. Simultaneous Multiple Scalar Multiplication. Another use of our 
elliptic curve double-add technique is multiple scalar multiplication, such as 
k\P\ + A; 2 P 2 + £;3P3, where the multipliers k\, k^, and k% have approximately 
the same length. One algorithm creates an 8-entry table with 

O, Pi, P 2 , P 2 + Pi, P 3 , P3 + P1, P3 + P2, P3 + P2 + P1. 

Subsequently it uses one elliptic curve doubling followed by the addition of a 
table entry, for each multiplier bit |Moiler2001| . About 7/8 of the doublings 
are followed by an addition other than O. 

To form 29Pi + 44P 2 , for example, write the multipliers in binary form: 
(011101)2 and (101100)2. Scanning these left-to-right, the steps are 



Bits 


Table entry 


Action 


0,1 


P 2 


T 


= P 2 


1,0 


Pi 


T 


= 2T + P 1 = P 1 + 2P 2 


1,1 


P1 + P2 


T 


= 2T + (Pi + P 2 ) = 3Pi + 5P 2 


1,1 


Pi + P 2 


T 


= 2T + (Pi + P 2 ) = 7Pi + 11P 2 


0,0 


O 


T 


= 2T = 14Pi + 22P 2 


1,0 


Pi 


T 


= 2T + Pi = 29Pi + 44P 2 



There is one elliptic curve addition (Pi + P 2 ) to construct the four-entry 
table, four doublings immediately followed by an addition, and one doubling 
without an addition. While doing 10 elliptic curve operations, our technique 
is used four times. Doing the multipliers separately, say by the addition- 
subtraction chains 

1,2,4,8,7,14,28,29 and 1,2,4,6,12,24,48,44 

takes seven elliptic curve operations per chain, plus a final add (15 total). 



5.3. Elliptic Curve Method of Factorization. The Elliptic Curve Method 
(ECM) of factoring a composite integer iV chooses an elliptic curve E with 
coefficients modulo N . ECM multiplies an initial point Pq on E by a large 
integer k, working in the ring TLjNTL rather than over a field. ECM may 
encounter a zero divisor while trying to invert a nonzero integer, but that 
is good, because it leads to a factorization of N. ECM uses only the x- 
coordinate of kPo . 

Montl987, pp. 260ff] proposes a parameterization, By 2 = x 3 + Ax 2 + x, 
which uses no inversions during a scalar multiplication and omits the y- 
coordinate of the result. Its associated costs for computing the x-coordinate 
are 



P + Q from P,Q,P-Q 
2P from P 



2 squarings, 4 multiplications 
2 squarings, 3 multiplications 



To form kP from P for a large n-bit integer k, this method uses about 4n 
squarings and In multiplications, working from the binary representation 
of k. Some variations M ontLucasj use fewer steps but are harder to program. 

In contrast, using our technique and the method in [IEEE, section A. 10.3], 
we do about 2n/3 doublings and n/3 double-adds (or double-subtracts). By 
Table Q the estimated cost of kP is 2n squarings, n multiplications and 
4n/3 divisions. 

The new technique is superior if 4n/3 divisions cost less than 2n squarings 
and 6n multiplications. A division can be implemented as an inversion plus 
a multiplication, so the new technique is superior if an inversion is cheaper 
than 1.5 squarings and 3.5 multiplications. 

|Montl987] observes that one may trade two independent inversions for 
one inversion and three multiplications, using = y(xy)^ 1 and = 
(xy)~ 1 x. When using many curves to (simultaneously) tackle the same 
composite integer, the asymptotic cost per inversion drops to 3 multiplica- 
tions. 



6. Application to Weil and Tate Pairings 

The Weil and Tate pairings are becoming important for public-key cryp- 
tography }.Ioux2f)02] . The algorithms for these pairings construct rational 
functions with a prescribed pattern of poles and zeroes. An appendix to 
BoFr2001 describes Miller's algorithm for computing the Weil pairing on 
an elliptic curve in detail. 

Fix an integer m > and an m-torsion point P on an elliptic curve E. Let 
/i be any nonzero field element. For an integer c > 1, let f c be a function 
on E with a c-fold zero at P, a simple pole at cP, a pole of order c — 1 
at O, and no other zeroes or poles. When c = to, this means that f m has 
an m-fold zero at P and a pole of order to at O. Corollary 3.5 on page 67 
of [Silverman] asserts that such a function exists. This f c is unique up to a 
nonzero multiplicative scalar. Although f c depends on P, we omit the extra 
subscript P. 



The Tate pairing evaluates a quotient of the form f m (Qi)/fm(Q2) for two 
points Qi, Q 2 on E (see, for example, |BKLS2002| ). (The Weil pairing has 
four such computations.) Such evaluations can be done iteratively using an 
addition/subtraction chain for m, once we know how to construct fb+ c and 
fb-c from (fb, bP) and (/ c , cP). Let gb <c be the line passing through the 
points bP and cP. When bP = cP, this is the tangent line to E at bP. Let 
Qb+c be the vertical line through (b + c)P and — (b + c)P. Then we have the 
useful formulae 

j. £ £ 9b,c j r fb'9b 

fb+c = fb - Jc and fb-c 



9b+c fc ■ 9-b,c 

Denote hb = fb(Qi)/fb(Q2) fo r each integer b. Although fb was defined 
only up to a multiplicative constant, hb is well-defined. We have 

/ n , , , 9b,c{Qx) ■ 9b+c{Q2) , , h h - 9b(Qi) ■ g-b,c{Qz) 

(1) h b+c = h b -h c — — — — - and h b - c ~ 



9b,c{Q2) ■ 9b+c(Qi) '' h c ■ g b (Q 2 ) ■ g-b,c(Qi) 

So far in the literature, only the fb+c formula appears, but the fb-c formula is 
useful if using addition/subtraction chains. The addition/subtraction chain 
iteratively builds h m along with mP. 

6.1. Using the Double- Add Trick with Parabolas. We now describe 
an improved method for obtaining (h 2 b+ci (2b + c)P) given (hb, bP) and 
(h c , cP). The version of Miller's algorithm described in [BKLS2002] uses a 
left-to-right binary method with window size one. That method would first 
compute (h%b, 2bP) and later (/12&+0 (2b + c)P). We propose to compute 
(h 2 b+c, (2b + c)P) directly, producing only the ^-coordinate of the interme- 
diate point bP + cP. To combine the two steps, we construct a parabola 
through the points bP, bP, cP, —2bP — cP. 

To form f 2 b+c, we form /& +c and fb+ c +b- The latter can be expressed as 

f _ f fb' 9b+c,b _ fb ■ fc - 9b,c fb • 9b+c,b _ fb' /c ' fb 9b,c ' 9b+c,b 

J2b+c — Jb+c ' — " — " • 

92b+c 9b+c 9lb+c 92b+c 9b+c 

We replace (gb,c - 9b+c,b) / 9b+c by the parabola, whose formula is given below. 
Evaluate the formula for f 2 b+ c at Qi and Q 2 to get a formula for h 2 b+ c - 

6.2. Equation for Parabola Through Points. If R and S are points on 
an elliptic curve E, then there is a (possibly degenerate) parabolic equation 
passing through R twice (i.e., tangent at R) and also passing through S 
and — 2R — S. Using the notations R = (x\, yi) and S = (x 2 , y 2 ) with 
R + S = (xs, 2/3) and 2R + S = (X4, 1/4), a formula for this parabola is 

^ (y + V3- Ma - x 3 ))(y - 2/3 - A 2 (x - x 3 )) 

x - x 3 

The left half of the numerator of (0) is a line passing through R, S, and 
—R — S whose slope is Ai. The right half of the numerator is a line passing 
through R+ S, R, and — 2R — S, whose slope is A2. The denominator is a 



(vertical) line through R + S and —R — S. The quotient has zeros at R, R, 
S, —2R — S and a pole of order four at O. 

We simplify @ by expanding it in powers of x — x 3 . Use the equation for 
E to eliminate references to y 2 and y\. 

2 2 

- Ai(y - y 3 ) - A 2 (y + y 3 ) + AiA 2 (x - x 3 ) 

(3) = x 2 + + x 2 + a + \ 1 \ 2 ( x _ X3 ) _ X 1 (y - y 3 ) - A 2 (y + y 3 ) 

= x 2 + (x 3 + AiA 2 )x — (Ai + A 2 )y + constant. 

Knowing that (JHJ) passes through R = (x±, y\), one formula for the parabola 
is 

(4) (x - xi)(x + xi + x 3 + AiA 2 ) - (Ai + A 2 )(y - yi). 

In the previous section we can now replace (gb, c - 9b+c,b)/ 9b+c by the parabola 
© with P = 6P and S = cP. 

Formula Q) for the parabola does not reference y 3 and is never identically 
zero since its x 2 coefficient is 1. Add endixIXl gives a formula for this parabola 
in degenerate cases, as well as for a more general curve. 

6.3. Savings. We claim the pairing algorithm needs less effort to evaluate 
a parabola at a point than to evaluate lines and take their product at that 
point. The parabola does not reference y 3 , so we can omit the y-coordinate 
of bP + cP and can use the double-add trick. 

Here is a precise analysis of the savings we obtain by using the parabola 
when computing the Tate pairing. Again assume that we use the binary 
method in jQEEEl section A. 10.3] to form mP, where m has n bits. (It does 
2n/3 doublings and re/3 double-adds or double-subtracts.) We manipulate 
the numerator and denominator of hj separately, doing one division hj = 
/inumjMdenomj at the very end. 

Analysis of doubling step: The analysis of the doubling step is the 
same in the standard and in the new algorithms. Suppose we want to com- 
pute (h 2 b, 2bP) from (hb, bP). We need an elliptic curve doubling to com- 
pute 2(bP), after which we apply (pQ). If bP = {x\, y\) and 2bP = (x^, y^) 
then 

/ K x 9b,b y - Vi ~ Ai(x - xi) 

(5) = . 

g 2 b x - x 4 

The doubling (including Ai computation) costs 3 multiplications and a di- 
vision. Evaluating © at Q± and Q 2 (as fractions) costs 2 multiplications. 
Multiplying four fractions in costs 6 multiplications. The net cost is 
3 + 2 + 6 = 11 field multiplications (or squarings) and a field division. 

Analysis of double-add step: The standard algorithm performs one 
doubling followed by an addition to compute (/i 2 fe +c , (26+c)P) from (hb, bP) 
and (h c , cP). Similar to the above analysis we can compute the cost as 21 
field multiplications and 2 divisions. [The cost would be one fewer multipli- 
cation if one does two elliptic curve additions: (26 + c)P = (bP + cP) + bP.] 



The new algorithm does one elliptic curve double-add operation. It costs 
only one multiplication to construct the coefficients of the parabola ijljl. 
because we computed Ai and A2 while forming (26 + c)P. Evaluating the 
parabola (and the vertical line g2b+c) twice costs four multiplications. Mul- 
tiplying five fractions costs another 8 multiplications. The total cost is 
3 + 1 + 4 + 8 = 16 field multiplications and 2 field divisions. 

Total savings: Estimating a division as 5.18 multiplications, the stan- 
dard algorithm for (h m , mP) takes (16.18 • 2n/3) + (31.36 • re/3) = (21.24)n 
steps, compared to (16.18 • 2n/3) + (26.36 • re/3) = 19.57n steps for the new 
method, a 7.8% improvement. A Weil pairing algorithm using the parabola 
will also save 7.8% over Miller's algorithm, because we can view the Weil 
pairing as "two applications of the Tate pairing", each saving 7.8%. 

Sometimes (e.g., |BLS200T] N ) one does multiple Tate pairings with P fixed 
but varying Q\ and Q2- If one has precomputed all coefficients of the lines 
and parabolas, then the costs of evaluation are 8 multiplications per dou- 
bling step or addition step, and 12 multiplications per combined double-add 
step. The overall costs are 32re/3 multiplications per evaluation with the 
traditional method and 28n/3 multiplications with the parabolas, a 12.5% 
improvement. 
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Appendix A. Pseudocode 

The general Weierstrass form for the equation of an elliptic curve is: 

(6) E : y 2 + a\xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , 

subject to the condition that the coefficients ai, a 2 , a 3 , 04, a% satisfy a 
certain inequality to prevent singularity |Silvermanl p. 46]. The negative of 
a point P = (xi, y\) on © is — P = (x±, — a\Xs — — y\). [This seems to 
require a multiplication 01X3, but in practice a\ is or 1.] If P = (xi, y\) 
is a finite point on ©, then the tangent line at P has slope 

^ _ 3xf + 2a 2 x 1 + a 4 ~ a-iVi 
2yi + aixi + a 3 

Figure 1 gives the pseudocode for implementing the savings for an elliptic 
curve of this general form. Given two points P = (x±, yi) and Q = (x 2 , y 2 ) 
on E, it describes how to compute 2P + Q as well as the equation for a 
(possibly degenerate) parabola through P, P, Q, and — (2P + Q). 

Often the curve coefficients in Q are chosen to simplify — the precise 
choices depend on the field. For example, it is common in characteristic 2 
IEEE] p. 115] to choose a\ = 1 and as = = 0, in which case ((7J) simplifies 
to Ai = xi + yi/xi. 



Figure 1. Algorithm for computing 2P + Q and the equation for a parabola 
through P, P, Q, and — (2P + Q), where P = (xi, y\) and Q = (x 2 , y%). 



if (P = O) then 
if (Q = O) then 
parabola = 1; 
else 

parabola = x — x 2 ; 
end if 
return Q; 
else if (Q = O) then 

if (denominator of ((7J) is zero) then 

parabola = x — x%; 

return O; 
end if 

Get tangent slope Ai from J7J); 
parabola = y — y\ — \\(x — xi); 
X3 = Ai(Ai + m) -a 2 - 2x\\ 
y 3 = Ai(xi - x 3 ) - aix 3 - a 3 - yi; 
return (x 3 , y 3 ); 

else 

if (xi ^ X2) then 

Ai = (y% — 2/2) / (2^1 — £2); /* slope of line through P, Q. */ 
else if (yi 7^ 2/2 OR denominator of ((7J) is zero) then 
parabola = (x — xi) 2 ; 

return P; /* P and Q must be negatives, so 2P + Q = P .*/ 

else 

Get tangent slope Ai from (JJJ); 
end if 

x 3 = Ai(Ai + 01) - a 2 - xi - x 2 ; 

/* Think y 3 = Ai (xi - x 3 ) - aix 3 - a 3 - y x . */ 
if (x 3 = xi) then 

parabola = y — y\ — \\{x — xi); 

return O; /* P + Q and P are negatives. */ 
end if /* Think A 2 = {yi - y 3 )/(xi - x 3 ) */ 
A 2 = (aix 3 + a 3 + 2yi)/ (x 1 - x 3 ) - Ai; 
x 4 = A 2 (A 2 + ai) - a 2 - xi - x 3 ; 
2/4 = A 2 (xi - x 4 ) - aix 4 - a 3 - yi; 

parabola = (x - xi)(x - x 4 + (A 4 + A 2 + a 4 )A 2 ) - (A 4 + A 2 + a 4 )(y - y 4 ); 
return (x 4 , y 4 ); 
end if 



